Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, iPads, and related software and hardware. All product announcements should be sent to releases@tidbits.com.

Tip title*

Your tip*

URL

Enter the URL to a Web page that supports your tip.

Linked text

Enter the name of the page linked above.

Your name*

Your email*

* indicates required fields

To help us avoid automated posts and spam, please enter the words below.

When you submit a tip, you give us permission to use it. Read our terms for more details. All submissions are reviewed before publication.

Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.

Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address only to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our privacy policy.

Fun Way to Send Attachments in Mail

If you're working in a file that you want to attach to a message in Apple Mail, you can transfer the file to Mail easily: From the title bar of the file's window, drag the little proxy icon to Mail's icon on the Dock. Your Mac will make Mail the active application and open a new outgoing message, with the file attached.

Security Experts Urge Google to Secure All Sessions

Google has been name-checked on security. A letter sent on 16-Jun-09 to Google CEO Eric Schmidt strongly urges the company to make a secure connection the default method for Web applications. Among the 38 signatories to the letter are a host of well-known security experts, researchers, and advocates, including Ronald Rivest (the R of RSA), Bruce Schneier, Jon Callas, Eugene Spafford, Peter G. Neumann, William Cheswick, and Steven Bellovin.

Two years ago, Google's use of unsecured connections came to the fore with the discovery of sidejacking, a technique for grabbing the authentication cookies that Google uses to identify users during an unsecured session and inserting them into a browser under the sidejacker's control. Sidejacking can be performed anywhere there's an open Wi-Fi hotspot or an untrusted Ethernet network in which traffic is mingled and sniffable. (See "Sidejack Attack Jimmies Open Gmail, Other Services," 2007-08-27.)

Google has taken some steps to derail sidejacking, including marking the Gmail authentication cookie with a secure flag that should keep it from being sent without encryption even if https isn't used. Google also added an option to require https (SSL/TLS secured) connections for Gmail. (See "Google Gmail Adds Secure Session Option," 2008-07-28.) The researchers noted that other services, like Google Docs and Google Calendar, support https as well, although there's no way to set that level of security as a default.

The letter sent to Google claims that acquiring a Google authentication cookie from Docs or Calendar would allow access to Gmail, but one of Google's security team members, Alma Whitten, said in a blog entry that it wouldn't be possible for such a cookie to be intercepted.

The security experts urge that https sessions become the default for all Web-based services. The letter acknowledges that this lack is a widespread problem, and is even worse at Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace because those services don't offer a secure option. We expect that the security experts are starting with Google because of Google's existing optional support for secure connections, and if they can convince Google to make the switch, they'll move on to these other companies.

They note that because Google apps are designed to work asynchronously, queuing and performing tasks at the server and then updating the browser without a page reload, any latency introduced by the additional user or server computational load for encryption won't make the experience of using these applications worse.

Google's response, in Whitten's blog entry, is that Google remains concerned that there's not enough known about whether specific computer configurations, networks, or parts of the world would suffer far worse performance in an all-https world. Whitten also said that Google is planning a trial that moves small sets of Gmail customers who haven't explicitly requested https-only sessions to that option.